Storing encrypted objects

ABSTRACT

A seed value is received and a resource encryption key is generated from the seed value. The resource encryption key may be sent to an application server such that the application server system is able to encrypt a resource using the resource encryption key. Authentication credentials and a wrapped key are received and the wrapped key is decrypted to generate an unwrapped key that includes the resource identifier, the resource encryption key, and the user identifier in unencrypted form. The user identifier is accessed from the unwrapped key it is determined that the received authentication credentials correspond to the accessed user identifier. The resource encryption key is sent in unencrypted form to the application server system such that the application server system can decrypt the resource using the resource encryption key in unencrypted form.

CROSS-REFERENCE TO RELATED APPLICATION

The present application claims priority from U.S. ProvisionalApplication Ser. No. 61/346,005, filed May 18, 2010. The contents of theprior application are incorporated herein by reference in theirentirety.

TECHNICAL FIELD

This document relates to hosted storage and associated cryptographic keystorage.

BACKGROUND

Hosted, or cloud-based storage, refers to off-site or remote datastorage that is typically provided by a third party. The third party mayimplement the hosted storage in a data center, and provide access to thehosted storage over a network, such as the Internet.

Encryption is the process of converting data, sometimes calledplaintext, using an algorithm and an encryption key to make itunreadable to anyone except those possessing the encryption key. Theresult of the process is encrypted information, sometimes calledciphertext.

SUMMARY

In a first aspect a method performed by one or more processors includesreceiving, from an application server system and at a key server system,a seed value. The method includes generating, at the key server system,a resource encryption key from the seed value. The method includessending, from the key server system to the application server system,the resource encryption key such that the application server system isable to encrypt a resource using the resource encryption key. The methodincludes receiving, from the application server system and at the keyserver system, authentication credentials and a wrapped key. The wrappedkey including a resource identifier, a resource encryption key, and auser identifier that have been encrypted using a master key. Theresource identifier identifies the resource encrypted with the resourceencryption key and the user identifier identifies a user that ispermitted to use the resource encryption key to decrypt the resource.The method includes decrypting the wrapped key to generate an unwrappedkey that includes the resource identifier, the resource encryption key,and the user identifier in unencrypted form. The method includesaccessing the user identifier from the unwrapped key. The methodincludes determining that the received authentication credentialscorrespond to the accessed user identifier. The method includes inresponse to determining that the received authentication credentialscorrespond to the accessed user identifier, sending the resourceencryption key in unecrypted form to the application server system suchthat the application server system can decrypt the resource using theresource encryption key in unencrypted form.

In a second aspect, a computer system includes a key server systemconfigured to receive, from an application server system and at a keyserver system, a seed value. The key server system is configured togenerate, at the key server system, a resource encryption key from theseed value. The key server system is configured to send, from the keyserver system to the application server system, the resource encryptionkey such that the application server system is able to encrypt aresource using the resource encryption key. The key server system isconfigured to receive, from the application server system and at the keyserver system, authentication credentials and a wrapped key. The wrappedkey includes a resource identifier, a resource encryption key, and auser identifier that have been encrypted using a master key. Theresource identifier identifies the resource encrypted with the resourceencryption key and the user identifier identifies a user that ispermitted to use the resource encryption key to decrypt the resource.The key server system is configured to decrypt the wrapped key togenerate an unwrapped key that includes the resource identifier, theresource encryption key, and the user identifier in unencrypted form.The key server system is configured to access the user identifier fromthe unwrapped key. The key server system is configured to determine thatthe received authentication credentials correspond to the accessed useridentifier. The key server system is configured to, in response todetermining that the received authentication credentials correspond tothe accessed user identifier, send the resource encryption key inunecrypted form to the application server system such that theapplication server system can decrypt the resource using the resourceencryption key in unencrypted form.

In a third aspect, a computer readable medium stores operations that,when executed by one or more processing devices, cause the one or moreprocessing devices to perform operations including receiving, from anapplication server system and at a key server system, a seed value. Theoperations include generating, at the key server system, a resourceencryption key from the seed value. The operations include sending, fromthe key server system to the application server system, the resourceencryption key such that the application server system is able toencrypt a resource using the resource encryption key. The operationsinclude receiving, from the application server system and at the keyserver system, authentication credentials and a wrapped key. The wrappedkey including a resource identifier, a resource encryption key, and auser identifier that have been encrypted using a master key. Theresource identifier identifies the resource encrypted with the resourceencryption key and the user identifier identifies a user that ispermitted to use the resource encryption key to decrypt the resource.The operations include decrypting the wrapped key to generate anunwrapped key that includes the resource identifier, the resourceencryption key, and the user identifier in unencrypted form. Theoperations include accessing the user identifier from the unwrapped key.The operations include determining that the received authenticationcredentials correspond to the accessed user identifier. The operationsinclude, in response to determining that the received authenticationcredentials correspond to the accessed user identifier, sending theresource encryption key in unecrypted form to the application serversystem such that the application server system can decrypt the resourceusing the resource encryption key in unencrypted form.

Implementations of the foregoing aspects can include any, all or none ofthe following features. A service associated with the wrapped key may beidentified and decrypting the wrapped key may include decrypting thewrapped key using a master key associated with the service.

A sharing request may be received from the application server and at thekey server system. The sharing request that may include i) theauthentication credentials, ii) the wrapped key, and iii) a second useridentifier. Decrypting the wrapped key included in the request may bedecrypted to generate the unwrapped key and the user identifier may beaccessed from the unwrapped key. It may be determined that the receivedauthentication credentials correspond to the accessed user identifierand, in response to determining that the received authenticationcredentials correspond to the accessed user identifier, the useridentifier in the unwrapped key may be replaced with the second useridentifier and the unwrapped key may be encrypted to generate a secondwrapped key. The second wrapped key may be sent to the applicationserver system.

The user identifier may indicate no more than one user. A format of theauthentication credentials and the user identifier may be identified andit may be determined that the received authentication credentialscorrespond to the accessed user identifier according to the identifiedformat.

The resource may be encrypted using the resource encryption key togenerate an encrypted version of the resource. Duplicates of theencrypted version of the resource store may be detected in a storagesystem and the detected duplicates may be removed from the storagesystem. Removing the detected duplicates from the storage system mayinclude deleting the detected duplicates and replacing the deletedduplicates with a pointer to the encrypted version of the resource.Encrypting the resource using the resource encryption key to generatethe encrypted version of the resource may include encrypting theresource using the resource encryption key and a deterministicencryption technique. The seed value may based on the resource and maybe a hash calculated from the resource.

The details of one or more implementations are set forth in theaccompanying drawings and the description below. Other features andadvantages will be apparent from the description and drawings, and fromthe claims.

DESCRIPTION OF DRAWINGS

FIG. 1A is a block diagram showing an example of a system for providinghosted storage and accessing the hosted storage from a client device.

FIG. 1B is a block diagram showing an example of a wrapped key scheme.

FIG. 2 is a flow chart showing an example of a process for storing datain a hosted storage service.

FIG. 3 is a flow chart showing an example of a process for providingdata in a hosted storage service.

FIG. 4 is a flow chart showing an example of a process for unwrapping awrapped key.

FIG. 5 is a flow chart showing an example of a process for creating aresource encryption key from a seed value.

FIG. 6 is a flow chart showing an example of a process for using akeystore to facilitate user-to-user sharing of encrypted data.

FIG. 7 is a flow chart showing an example lifecycle of an access controllist.

FIG. 8 shows an example of a computing device and a mobile computingdevice that can be used in connection with computer-implemented methodsand systems described in this document.

DETAILED DESCRIPTION

A hosted storage system can provide data storage for a variety ofapplications. The hosted data storage can receive data resources,associate the resources with user accounts, and provide access to theresources to authorized users. A system of buckets can be used to indexthe data storage space, and permission properties can be assigned to thebuckets or to the resources stored in the buckets.

The resources stored in the buckets can be encrypted with resourceencryption keys held in wrapped keys. Access to the resource encryptionkey can be provided by a keystore server that can ensure a user of theapplication server has authorization to access the resource encryptionkey. If the user is authorized, the keystore server can unwrap thewrapped key and provide the resource encryption key to the applicationserver. The keystore need not store any of the wrapped keys, insteadonly having access to a wrapped key when receiving a request to unwrapit.

FIG. 1A is a block diagram showing an example of a system 100 forproviding hosted storage and accessing the hosted storage from a clientdevice 102. System 100 is one example of a system that can employ akeystore for using wrapped keys, but other types of systems, providingother types of services, can employ a keystore for using wrapped keys.In some implementations, a hosted storage service 120 can provide accessto stored data by applications running on computing devicesgeographically separate from each other, provide offsite data backup andrestore functionality, provide data storage to a computing device withlimited storage capabilities, and/or provide storage functionality notimplemented on a computing device.

The system 100 can provide scalable stores for storing data resources.The client device 102 can upload data resources to the hosted storageservice 120 and control access to the uploaded data resources. Accesscontrol can include a range of security levels, from keeping datasecurely confidential to publishing it without restrictions. Data storedin hosted storage service 120 can be secured from unauthorized access.The hosted storage service 120 can use a simple and consistentapplication programming interface, or API, which can allow arbitraryquantities of structured or unstructured data to be kept private orshared between individuals, organizations, or with the world at large.The client device 102 can store data in the hosted storage service 120for mutual business reasons (e.g., submission of work product ordered bythe owner of the hosted storage service 120), or for use in dataprocessing by other services (e.g., images uploaded are used toautomatically and dynamically create a photo gallery web page.)

The client device 102 can be implemented using a computing device, suchas the computing device 800 or the mobile device 850 described withrespect to FIG. 8. The client device 102 can communicate with the hostedstorage service 120 via a network 104, such as the Internet. The clientdevice 102 can communicate across the network using communicationprotocols such as, for example, one or more of Transmission ControlProtocol/Internet Protocol (TCP/IP), Hypertext Transfer Protocol (HTTP),Secure Shell Remote Protocol (SSH), or Application Program Interfaces(API). While only a single client device 102 is shown, there can bemultiple client devices communicating across the network 104 with thehosted storage service 120 and/or other services and devices.

The hosted storage service 120 can be implemented such that clientapplications such as a client application 103 can store, retrieve, orotherwise manipulate data resources in the hosted storage service 120.The hosted storage service 120 can be implemented by one or more serverdevices, which can be implemented using a computing device, such as thecomputing device 800 or mobile device 850 described with respect to FIG.8. For example, the hosted storage service 120 can be implemented bymultiple server devices operating in the same, or different, datacenters.

The hosted storage service 120 generally includes an interface frontend106, an interface backend 108, a storage backend 110, metadata 116 forresources stored in the storage backend 110, and a keystore 109. Ingeneral, the interface frontend 106 may receive requests from and sendresponses to the client device 102. For instance, the hosted storageservice 120 can be implemented as a Web Service with a corresponding setof Web Service Application Programming Interfaces (APIs). The WebService APIs may be implemented, for example, as a RepresentationalState Transfer (REST)-based HTTP interface or a Simple Object AccessProtocol (SOAP)-based interface.

An interface frontend 106 can receive messages from the client 102 andparse the request into a format usable by the hosted storage service120, such as a remote procedure call (RPC) to an interface backend 108.The interface frontend 106 writes responses generated by the hostedstorage service 120 for transmission to the client 102. In someimplementations, multiple interface frontends 106 are implemented, forexample to support multiple access protocols.

The interface frontend 106 can include a graphical front end, forexample to display on a web browser for data access. The interfacefrontend 106 can include a sub-system to enable managed uploads anddownloads of large files (e.g., for functionality such as pause, resume,and recover from time-out). The interface frontend 106 can monitor loadinformation and update logs, for example to track and protect againstdenial of service (DOS) attacks.

As described above, the Web Service API may be a REST-based HTTPinterface. In a REST-based interface, a data resource is accessed as aresource, uniquely named using a URI, and the client application 103 andservice 120 exchange representations of resource state using a definedset of operations. For example, requested actions can be represented asverbs, such as by HTTP GET, PUT, POST, HEAD, and DELETE verbs. The GETverb may be used to retrieve a resource, while the HEAD verb may be usedto retrieve information about a resource without retrieving the resourceitself. The DELETE verb may be used to delete a resource from the hostedstorage service 120. The PUT and POST verbs may be used to upload aresource to the service 120. PUT requests can come from the client 102and contain authentication and authorization credentials and resourcemetadata in a header, such as an HTTP header. POST requests can bereceived when a client 102 wants to upload from a web browser form. Theform POST upload protocol for the hosted storage service 120 can involvemultiple required form fields to provide authentication, authorizationand resource metadata. More generally, any of the API requests mayinclude credentials for authentication and authorization, for example,in a header of the request. For example, an authorization header may beincluded in the REST requests, which include an access key to identifythe entity sending the request.

Alternatively, or additionally, a user can be authenticated based oncredentials stored in a browser cookie, which gets appended to the APIrequests. If no valid cookie is present, a redirect to an authenticationfrontend can be generated, and the authentication frontend can be usedto generate the browser cookie. The authentication frontend can be usedby systems and services in addition to the hosted storage service 120(e.g., if the organization operating the hosted storage service 120 alsooperates other web services such as email service.) A user can also oralternatively be authenticated based on authentication credentials froman external credentialing service or an external service that includescredentialing functionality. User or group identifier information can becalculated from the external service's credential information. Requestssent by the client 102 to the interface frontend 106 can be translatedand forwarded to the external service for authentication.

In general, resources stored in the hosted storage service 120 can bereferenced by resource identifiers. The hosted storage service 120 candefine namespaces to which a valid resource identifier must conform. Forexample, the namespace may require that resource identifiers be asequence of Unicode characters whose UTF-8 encoding is at most 1024bytes long. As another example, the namespace may require that resourceidentifiers be globally unique identifiers (GUIDs), which may be 128-bitintegers.

Resources can be stored in hosted storage service 120 in buckets. Insome examples, each bucket is uniquely named in the hosted storageservice 120, each resource is uniquely named in a bucket, and everybucket and resource combination is unique. Resources may be uniquelyidentified by a URI that includes the bucket name and the resource name,and identifies the hosted storage service 120. For example, a resourcenamed “long/song.mp3” in a bucket named “music” could be specified usinga URI pattern such ashttp://s.hostedstoragesystem.com/music/long/song.mp3 orhttp://music.s.hostedstoragesystem.com/long/song.mp3. Alternatively, theuser of the client 102 can create a bucket named www.music.org, publisha CNAME alias redirecting that tohttp://music.s.hostedstoragesystem.com, and address the resource ashttp://www.music.org/long/song.mp3. In some examples, buckets do notnest.

The interface backend 108 can handle request authentication andauthorization, can manage data and metadata, and can track activity suchas for billing. The interface backend 108 can provide functionality forindependent frontend/backend scaling for resource utilization andresponsiveness under localized heavy loads. Data management can beencapsulated in the interface backend 108 while communication servingcan be encapsulated in the interface frontend 106. The interface backend108 can isolate security mechanisms from the client-facing interfacefrontend 106.

The interface backend 108 can expose an interface usable by both theinterface frontend 106 and other systems. In some examples, somefeatures of the interface backend 108 are accessible only by aninterface frontend (not shown) used by the owners of the hosted storageservice 120 (internal users). Such features can include those needed foradministrative tasks (e.g., resolving a resource reference to a lowlevel disk address.) The interface backend 108 can handle requestauthentication (e.g., ensuring a user's credentials are valid) andauthorization (e.g., verifying that a requested operation is permitted.)The interface backend can also provide encryption and decryptionservices to prevent unauthorized access to data, even by internal users.

The interface backend 108 can manage metadata 116 associated with dataresources, for example in a structured data format such as a database(e.g., MySQL or BigTable). User-specified names labeling the buckets canbe completely defined within the metadata 116, and resource metadata 116can map a resource name to one or more data shares 112 storing theresource. The metadata 116 can also contain bucket and resource creationtimes, resource sizes, hashes, and access control lists 118 (ACL 118)for both buckets and resources. The interface backend 108 can logactivity and track storage consumption to support accounting for billingand chargebacks. In some examples, this includes quota monitoring ineach dimension in which customers are charged (e.g., reads, writes,network transfers, total storage in use.)

The ACLs 118 define who is authorized to perform actions oncorresponding buckets or resources, and the nature of the permittedactions. The ACLs 118 can be an unordered list of {scope, role} pairs,plus Boolean flags. The scope may define a user or group of users andthe role may define the access permissions for the user or group. Insome examples, the union of all {scope, role} pairs can define accessrights. In some examples, more specific {scope, role} pairs overridemore general ones. Table 1: Bucket Roles below shows a list of exampleroles that can be included in ACLs 118 for buckets. Table 2: ResourceRoles below shows a list of example roles that can be included in ACLs118 for data resources.

TABLE 1 Bucket Roles Role Capabilities READ Can list the bucket'scontents. Cannot create or delete resources. WRITE READ capabilitiesplus ability to create and delete resources in the bucket. FULL_CONTROLWRITE capabilities plus ability to read and write the bucket ACL.

TABLE 2 Resource Roles Role Capabilities READ Can read the resource.FULL_CONTROL READER capabilities plus ability to read and write theresource ACL.

Scopes can be defined to a single user or a group of users. In oneimplementation, those users with a FULL_CONTROL role (and therefore ableto modify the ACL for a given bucket or resource) may define a group ofusers, and then provide a role for the group. For example, a group ofusers may be managed by the hosted storage service 120 (or, moregenerally, by the service provider that provides the hosted storageservice 120) for reasons other than storage permissions (for example,for a message board or other service that employs groups) and thosegroups may be identified by a single username or other identifierassociated with the group of users, an e-mail address associated withthe group of users (which may or may not also correspond to anidentifier of the group), or a domain name associated with a group. Thismay allow a user to specify a preexisting group managed by the serviceprovider that is already defined by the identifier, e-mail address, ordomain name. Similarly, users may be able to specify a group of users(for example, by user id or e-mail address) and associate an access keywith the group. This may allow for the formation of ad-hoc groups forthe management of storage permissions, rather than groups alreadymanaged by the service provider.

In this way, a group of users can be given a particular role simply bymanaging the role of the group. Similarly, if the ACL is associated witha bucket containing a number of resources, or the ACL is otherwiseassociated with multiple resources, the role with respect to thoseresources can be easily changed by simply changing the role of thegroup.

Table 3: Scopes below shows a list of example scopes that can beincluded in ACLs 118 for buckets and/or data resources.

TABLE 3 Scopes Name Description Service ID A single authenticated userspecified by username. Email Address A single user specified by an emailaddress. Service Group ID A group of users managed by the hosted storageservice 120 and specified by an associated identifier. Invite Token Oneor more users with access to a one time use digital token.Group-Restricted One or more users with access to a permanent use Keydigital key. All Service Users All authenticated users of the hostedstorage service 120. All Users All users, no authentication. Can beanonymous or semi-anonymous.

The FULL_CONTROL role can represent all possible capabilities, such asthose assigned to a resource or bucket owner connected to a financiallyresponsible party. The bucket owner can be configured to always haveFULL_CONTROL for the bucket. In general, the bucket and/or resourceowner can create or modify scopes and roles in the corresponding ACLs,but in some implementations the pair {bucket owner, FULL_CONTROL} may beprevented from being removed from the bucket ACL 118 (or the resourceACL). To create a resource, a user can have write permission on thebucket, which can be granted by WRITE and FULL_CONTROL. WRITE permissionon the bucket can imply permission to delete or overwrite a resource inthe bucket. Additional constraints can disallow certain modifications toACLs 118. In some examples, it is possible to create a resource that thebucket owner cannot read.

A given ACL 118 can include a resource encryption key for an encrypteddata resource associated with the ACL 118 and stored in the hostedstorage service 120 or in other services (not shown). The resourceencryption key itself has been encrypted by the keystore 109. Theencrypted key can also carry associated metadata that iscryptographically bound to the key itself. Such keys are referred to aswrapped keys. From the point of view of the interface backend 108, thewrapped keys can be opaque resources. To obtain the cleartext key of awrapped key for use (e.g., to encrypt or decrypt a data resource,) theinterface backend 108 can provide the wrapped key and clientauthentication credentials to the keystore 109. The keystore 109 canverify, based in part on the wrapped key's metadata, that the providedauthentication credential is sufficient to authorize release of the key,and if so, can return the unwrapped key to the interface backend 108.The interface backend 108 can use the key to encrypt or decrypt the dataresource and then can discard the key.

In various implementations, the group exercising administrative controlof the interface backend 108 and the group exercising administrativecontrol over the keystore 109 may be different. This may provide greatersecurity for the stored data because two parties would need to cooperateto access resource encryption keys.

In some examples, the resource encryption key is a symmetric key thatcan be used to both encrypt and decrypt a resource. A wrapped key canhave associated metadata indicating multiple users or groups authorizedto access the cleartext key.

In some cases, the keystore 109 can copy a wrapped key and rewrap thekey for a different principal (e.g., containing different metadata).This may be considered the basis for the sharing of resources using atransitive trust model, which means a user must first have access to aresource before he or she can share that resource with another. As anexample, the interface backend 108 may receive a request from a firstuser to share a wrapped key (or a resource encrypted with a wrapped key)with a second user. The interface backend 108 can retrieve the wrappedkey from an ACL 118, and send, to the keystore 109, the wrapped key,authentication credentials for the first user and a user identifier forthe second user. They keystore 109 can unwrap the wrapped key, ensurethat the first user's authentication credentials match the wrapped key'suser identifier, and rewrap the wrapped key with the second user'sidentifier. The keystore 109 can return the new wrapped key to theinterface backend 108, who can store the new wrapped key in the ACL 118in association with the second user.

The resource encryption key can be generated by, for example, theinterface backend 108 and/or the keystore 109. For example, theinterface backend 108 can generate random or pseudo-random data to useas the resource encryption key. In another example, the interfacebackend 108 can request a new resource encryption key from the keystore109, and the keystore 109 can return random or pseudo-random data foruse as the resource encryption key.

Alternatively, the interface backend 108 can request a resourceencryption key from the keystore 109. For example, the interface backendcan identify a seed value from a data resource 114 to be encrypted, andsend that seed value to the keystore 109. The keystore can generate aresource encryption key from the seed value, and return it to theinterface backend.

In some implementations, the keystore 109 can use a deterministicprocess to produce resource encryption keys from seeds. That is, theresource encryption key returned by the keystore 109 may always be thesame for a provided seed value. In these implementations, if theinterface backend 108 uses a deterministic encryption technique toencrypt the data resources 114, identical data resources 114 will haveidentical ciphertexts.

In this case, the hosted storage system 120 may be designed to identifyand deduplicate data resources 114 that are identical. For example, ifthe hosted storage system 120 stores email attachments, it may be likelythat many emails may contain identical attachments (e.g. a popularvideo, image files in HTML newsletters). If the interface backend 108uses the attachment data resources 114, or a hash calculated from thedata resources 114, as seed values, the resultant resource encryptionkeys generated by the keystore 109 will be identical for each identicaldata resource 114. If the interface backend 108 uses a deterministicencryption algorithm to encrypt the data resources 114, the resultantcypertext of the encrypted data resources 114 can be identical. Withmultiple copies of identical encrypted data resources 114 in thedatastores 112, the interface backend can perform deduplicatingprocesses to reduce the storage space used by the identical encrypteddata resources 114. For example, if an encrypted data resource 114 isidentical to another encrypted data resource 114, the interface backend108 may delete the extra copy and replace it with a pointer to the otherinstance of the encrypted data resource 114.

There are other cases in which the interface backend 108 may request aresource encryption key from a seed value from the keystore 109. Forexample, the interface backend 108 may use user authentication data as aseed value. They keystore 109 can require that the user be authenticatedby the keystore 109 before supplying a resource encryption key based onuser authentication data. When storing user preferences as dataresources 114, the interface backend 108 can use that user'sauthentication data as a seed value.

The storage backend 110 can contain multiple datastores 112 a-112 c.Although three datastores 112 are shown, more or fewer are possible.Each of the datastores 112 a-112 c can store data resources 114 a-114 cin a particular format. For example, data store 112 a can store a dataresource 114 a as a Binary Large Object (BLOB), data store 112 b canstore a data resource 114 b in a distributed file system (e.g., NetworkFile System), and data store 112 c can store a data resource 114 c in astructured data format such as a database (e.g., MySQL).

In some implementations, the hosted storage system 120 can receive arequest to encrypt data from one user using another user's wrapped key.For example, the client application 103 can upload a data file and awrapped key to the hosted storage service 120 with a request to encryptthe data file with the resource encryption key in the wrapped key. Inthis example, the user of the client application 103 need not be theuser specified in the wrapped key's user identifier. Here, the keystore109 can act like a so-called “encryption oracle” that provides similarfunctionality as that found in a public key cryptography system.

The interface backend 108 can send the received data file and thewrapped key to keystore 109 with a request to encrypt the data file withthe wrapped key. The keystore 109 can unwrap the wrapped key and use theresource encryption key to encrypt the data file. The wrapped key may bediscarded by the keystore 109, and the encrypted data file can bereturned to the interface backend 108. The interface backend 108 canthen return the encrypted data file to the client application 103. Assuch, the user of the client application 103 can receive the encrypteddata file, without ever having access to the resource encryption keywithin the wrapped key.

FIG. 1B is a block diagram showing an example of a wrapped key scheme150 that may be used, for example, in the system 100. The scheme 150provides for a system of cryptographic keys that are secret andinaccessible to the hosted storage service 120, which stores the wrappedkeys. Wrapped keys are encrypted and thus unusable in their base state.Wrapped keys are useful for granular access control. The scheme 150permits creation and cataloging of keys at the same level of detail asaccess control lists used in data storage systems. Wrapped keys may bestored on disk near the data that they are used to encrypt, which mayprovide good performance and availability in data storage systems.

The data resource 114 is any resource that a system operator may want toprotect via encryption. An ACL 118 is associated with the data resource114 and describes the access permissions for the data resource 114.Here, a user “Alice” has READ and WRITE access, and a user “Dr. Bob” hasREAD access.

A resource encryption key, K_Bar, can be generated by, for example, theinterface backend 108 or the keystore 109 and used to encrypt the dataresource 114. The ACL 118 can be modified to store a wrapped key foreach user entry. Each wrapped key can contain the resource encryptionkey K_Bar, metadata identifying the data resource 114, and useridentification information. Each of the wrapped key is generated by thekeystore 109 using a master key, K_Master.

The user identification information may be associated with a single user(e.g., Alice or Dr. Bob, as shown) or with a group of users. Forexample, user identification information for wrapped keys can identifyany of the scopes for the ACL 118 described previously in Table 3,including Service Group ID, Group-Restricted Key, All Service Users, andAll Users.

The encrypted data resource 114 and ACL 118 may be stored together, forexample in adjacent memory locations, which may result in the dataresource 114 and the associated wrapped keys being stored together,minimize memory reading operations. Alternatively, the data resource 114and ACL 118 may be store separately, for example in a datastore 112 andmetadata 116. When one of the users, Alice or Dr. Bob, attempt to accessthe encrypted data resource 114, the wrapped key and the user'sauthentication credentials can be sent to the keystore 109. If the sentauthentication credentials correspond to the user identifier (or groupidentifier) in the wrapped key, the keystore 109 can return the resourceencryption key K_Bar in unencrypted form to the interface backend 108,and the encrypted data resource 114 can be decrypted.

The ACL 118 can contain one entry per principal, with one wrapped keyper entry. Each wrapped key can be completely decoupled from otherwrapped key and entries in the same ACL 118. That is, a change to oneentry and/or wrapped key does not affect the other wrapped keys. Assuch, access to the data resource 114 can be managed at a granular levelby adding, removing, or editing individual ACL 118 entries. For example,to remove access for the Dr. Bob user, the interface backend 108 candelete the Dr. Bob entry in the ACL 118—no adjustment to the otherentries in the ACL 118 or to the data resource 114 may be needed.

In some implementations, a wrapped key can be stored in the ACL 118 forinvited and/or shared users. For example, if Alice would like to sharethe data resource 114 with other principals, the interface backend 108can create an entry in the ACL 118 for other users. The interfacebackend 108 can request from the keystore 109 a wrapped key for the dataresource 114 containing a secret token (e.g., a random characterstring). The hosted storage system 120 can provide the secret token toAlice to distribute, or can distribute the secret token on Alice'sbehalf. For example, the hosted storage system 120 can generate an emailfor Alice that invites the recipients to access the data resource 114via a URI that has the secret token embedded. The URI can be an addressof a request to the hosted storage system 120 to access the dataresource 114.

The interface backend can send the secret token wrapped key and thereceived secret token to the keystore 109. If the wrapped secret tokenand the received secret token match, the keystore can return theresource encryption key, permitting the interface backend to decrypt andprovide the data resource 114.

In some implementations, the secret token wrapped key can also contain auser identifier, for example if Alice intends to only share the dataresource 114 with a particular principal. In these cases, the keystore109 can verify the user authentication credentials of the requestinguser, as well as the secret token, in order to return the resourceencryption key.

FIG. 2 is a flow chart showing an example of a process 200 for storingdata in a hosted storage service. The process 200 can be performed by,for example, the interface frontend 106 and the interface backend 110,and for clarity of presentation, the description that follows uses thesystem 100 as the basis for describing the process. However, anothersystem, or combination of systems, may be used to perform the process200.

A request is received by the interface frontend 106 from the clientapplication 103 to store a resource (202). The request can include aHTTP PUT or POST request, an authentication credential thatauthenticates the principal (entity) making the request, a dataresource, and a target for the resource consisting of a bucket and dataresource name. In some examples, the authentication credentials caninclude an interoperable authentication header, token, or cookie. Theinterface frontend can make a RPC to the backend 108 including therequest headers.

The interface backend 108 can examine and validate the authenticationcredentials (204). For example, native credentials (e.g., user ID,token) can be validated using internal validation features of the hostedstorage service 120. External credentials (e.g., user names andpasswords for another system) can be sent to the associated externalsystem for validation.

The interface backend 108 can query the request's target bucket's ACL118 to determine if the authenticated principal is permitted to create aresource in the bucket (206). For example, the principal or a group theprincipal is a member of can have the WRITE or FULL_CONTROL roleassigned in the bucket's ACL 118, which would allow the principal tocreate a resource in the bucket. If the principal is not authorized tocreate a resource, the request is denied.

Otherwise, the interface backend 108 uploads the resource to the targetbucket with the target data resource name to a datastore 112 (208). Insome examples, each bucket is associated with only a single datastore112, and specifying a target bucket specifies a datastore 112. In someexamples, the interface backend 108 can examine the data resource or usea parameter in the RPC from the interface frontend 106 to determinewhich datastore 112 to store the resource in, with associated metadata116 indicating the location of the resource (that is, the particulardatastore the resource is stored in and the resource's location in thatdatastore).

The interface backend 108 can encrypt the resource using a resourceencryption key. In some examples, the interface backend 108 can performthis encryption before or after uploading the resource to the targetbucket. The interface backend 108 can generate the resource encryptionkey, for example by sampling a pseudo-random number generator orcalculating a hash value of data such as the resource or an inputstream. Alternatively, the interface backend can generate a seed valueand request a resource encryption key from the keystore 109 based onthat seed value. Example seeds can include, but are not limited to useridentifier (e.g. a userID or principalID), scope values, resourceidentifiers, and arbitrary byte strings.

The interface backend 108 re-validates the principal's authenticationand authorization (210). To support long-running uploads, expiry timesof authentication credentials can be temporarily ignored, and insteadthe action 204 can be substantially repeated.

The interface backend 108 generates a new resource key request to thekeystore 109 for a wrapped key for the newly-uploaded resource (212).The request can include the resource encryption key, a resourceidentifier for the newly-uploaded resource, and a user identifier forthe principal that uploaded the resource. The keystore 109 generates andencrypts a wrapped key (214) and can provide the wrapped key to theinterface backend 108. The wrapped key can include the resourceencryption key, resource identifier, and user identifier in the requestfrom the interface backend 108.

The interface backend 108 creates an ACL 118 representing the accesscontrol list for the newly created resource (216). In some example, adefault ACL 118 is used or an ACL 118 can be specified by the requestfrom the client 102.

The interface backend 108 generates a new wrapped key request to thekeystore 109 for a wrapped key for every principal (user or group) inthe ACL 118 with permissions to read the resource or modify theresource's ACL 118 (218). Each new wrapped key is tied to a singleprincipal (user or group), and contains the resource identifier andresource encryption key used to encrypt the resource.

For example, the request received by the interface frontend 106 from theclient application 103 may indicate one or more other principals thatshould have shared access to the resource. To create wrapped keys foreach of the other principals, the interface backend 108 can send, to thekeystore 109, a wrapped key, authentication credentials for theprincipal that uploaded the resource, and a user identifier for adifferent principal. The keystore 109 can unwrap the key, verify thatthat the received authentication credentials match the wrapped key'suser identifier, and rewrap the key with the user identifier for thedifferent principal. The keystore 109 can then return the new wrappedkey for the different principal to the interface backend 108.

The interface backend 108 stores the resource's ACL 118 and wrapped keysin the resource's metadata 116 (220). The resource encryption key orkeys can be discarded by the interface backend 108.

FIG. 3 is a flow chart showing an example of a process for providingdata in a hosted storage service. The process 300 can be performed by,for example, the interface frontend 106 and the interface backend 110,and for clarity of presentation, the description that follows uses thesystem 100 as the basis for describing the process. However, anothersystem, or combination of systems, may be used to perform the process300.

A request is received by the interface frontend 106 from the clientapplication 103 to download a resource (302). The request can include aHTTP GET request, an authentication credential that authenticates theprincipal (entity) making the request, and a target consisting of abucket (and optionally data resource) name. In some examples, theauthentication credentials can include an interoperable authenticationheader, token, or cookie. The interface frontend can make a RPC to thebackend 108 including the request headers.

The interface backend 108 examines and validates the authenticationcredentials included in the request (304). For example, nativecredentials (e.g., user ID, token) can be validated using internalvalidation features of the hosted storage service 120. Externalcredentials (e.g., user names and passwords for another system) can besent to the associated external system for validation.

The interface backend 108 queries the request's bucket or resource ACL118 to determine if the authenticated principal is permitted to read thetarget (306). For example, the principal or a group the principal is amember of can have the READ, WRITE or FULL_CONTROL role assigned, whichwould allow the principal to read or otherwise access the target. If theprincipal is not authorized to read or access the resource, the requestis denied.

Otherwise, the interface backend 108 determines if the request is for abucket or for a resource (308). If the request is for a bucket, theinterface backend 108 queries for a list of the bucket's contents (310)and the listing is returned to the client application 103 (312).

If the request is for an resource, the interface backend 108 looks upthe appropriate wrapped key for the given authenticated requestor fromthe resource's metadata 116 (314). The interface backend 108 sends thewrapped key and the authentication credentials to the keystore 109,which can return the decrypted resource encryption key to the interfacebackend 108 (316). The interface backend 108 can fetch and decrypt thetarget resource (318) to be returned to the client application 103(320).

FIG. 4 is a flow chart showing an example of a process 400 forunwrapping a wrapped key. The process 400 can be performed by, forexample, the keystore 109, and for clarity of presentation, thedescription that follows uses the system 100 and the scheme 150 as thebasis for describing the process. However, another system, orcombination of systems, may be used to perform the process 400.

Authentication credentials and a wrapped key are received at a keyserver system from an application server system (402). For example, thekeystore 109 can receive authentication credentials and a wrapped keyfrom the interface backend 108. The authentication credentials canspecify one or more users, and may take the form of a variety offormats. In one or more implementations, wrapped keys may contain datathat is only accessible by an application server with validauthentication credentials.

The wrapped key includes a resource identifier, a resource encryptionkey, and a user identifier that have been encrypted using a master key.The resource identifier identifies a resource encrypted with theresource encryption key and the user identifier identifies a user thatis permitted to use the resource encryption key to decrypt the resource.For example, the resource identifier can describe a resource with whichthe resource encryption key is associated. Resource ID, file pathnames,and universal resource locators are all examples of resourceidentifiers. The resource encryption key can be the cryptographic keythat has been, or will be, used to encrypt the resource identified bythe resource identifier. For the wrapped keys in the ACL 118, theresource encryption key is K_Bar, the resource identifier is “Bar”, andthe user identifier is either Alice or Dr. Bob.

In some implementations, the authentication credentials are a characterstring embedded in a uniform resource identifier (URI). For example,some user authentication schemes can produce a unique character stringfor an authorized user. That character string can be included in to URIrequest to identify a user associated with the request. A serviceassociated with the wrapped key is identified (404). For example, inaddition to a wrapped key and authentication credentials, a serviceidentifier may be received. The wrapped key is decrypted with a masterkey associated with the service (406). For example, the keystore 109 maystore a collection of master keys, one per service, which are used forencrypting and decrypting the wrapped keys associated with a singleservice. After identifying the service, the keystore 109 may access,based on the identified service, the master key associated with theidentified service and use the master key to decrypt the wrapped key.For instance, keystore 109 may identify, based on the identifiedservice, the master key associated with the service, access theidentified master key, and use the accessed master key to decrypt thewrapped key. Likewise, when wrapping keys, keystore 109 may identify theservice, identify, based on the identified service, the master keyassociated with the service, access the identified master key, and usethe accessed master key to wrap the key. In other implementations, thesame master key may be used for different services.

The format of the authentication credentials and user identifier areidentified (408). The keystore 109 may recognize many authenticationformats, and the hosted storage system 120 may use one or more of thoseformats to authenticate users and identify principals in the ACLs 118.For example, the hosted storage system 120 may use its own nativeauthentication system, and may also allow users of a third partyauthentication system use credentials from that third partyauthentication system. In this example, entries in the ACLs 118 and inwrapped keys may be in either the native or third party format. Thekeystore 109 may, as a preliminary authentication action, determine thatthe format of the authentication credentials and the user identifier arethe same or compatible. The keystore 109 determines if the receivedauthentication credentials correspond to the accessed user identifieraccording to the identified format (410). For example, the keystore 109may use the identified format to determine the processes needed tocompare the authentication credentials and user identifier. For someformats, the keystore 109 can provide the authentication credentials anduser identifier to a third party authentication system and receive anindication of correspondence. For some other formats, the keystore 109can perform the determination directly by selecting a format-appropriatecomparison function, and using the authentication credentials and useridentifier as parameters for the function. For example, some formats ofauthentication credentials and user identifier may be comparable bydetermining if both consist of the same data (e.g. character string,cookie). If both consist of identical data, then they can be consideredto correspond. Some formats may require some pre-processing of theauthentication credentials and/or user identifier, for example toconvert the authentication credentials into the format of the useridentifier, or vice-versa.

In some implementations, the user identifier may indicate no more thanone user. For example, in the ACL 118 of FIG. 1B, each wrapped key useridentifier indicates only one user, Alice or Dr. Bob. In this case, whenmore than one user is able to access the data resource 114, multiplewrapped keys, one for each user, are stored in the ACL 118.

In some implementations, the user identifier and/or the authenticationcredentials may indicate multiple users in a group. That is, the useridentifier acts as a group identifier when used in relation to a group.For example, Table 3 lists some example scopes that include groups ofmultiple users. When the keystore 109 is determining if theauthentication credentials correspond to the group specified in the useridentifier, the keystore may determine that the authenticationcredentials belong to a group identified by the user identifier, insteadof just strictly matching the user identifier.

If the received authentication credentials do not correspond to theaccessed user identifier, a failure indication is sent (412). Forexample, the keystore 109 can return to the interface backend 108 anerror or failure message that specifies that the authenticationcredentials do not match the user identifier in the received wrappedkey.

If the received authentication credentials do correspond to the accesseduser identifier, the resource encryption key is sent in unencrypted formto the application server system (414). For example the keystore 109 cantransmit to the interface backend 108 the resource encryption key inunencrypted form. The interface backend 108 can then use the resourceencryption key, such as described in the processes 200 and 300. In someimplementations, communication between the keystore 109 and theinterface backend 108 can use an encrypted transfer protocol such asTransport Layer Security (TLS) so that the encryption key is encryptedin transport.

FIG. 5 is a flow chart showing an example of a process for creating aresource encryption key from a seed value. The process 500 can beperformed by, for example, the keystore 109, and for clarity ofpresentation, the description that follows uses the system 100 and thescheme 150 as the basis for describing the process. However, anothersystem, or combination of systems, may be used to perform the process500.

A seed value is received from the application server system (502). Forexample, the interface backend 108 can send a seed value to the keystore109. The seed value can be based on data available to the interfacebackend 108 and/or arbitrary data. For example, for use in encryptinguser preferences, the interface backend 108 can use some data relatingto each user as a seed value for a wrapped key for each user'spreferences. Additionally, an arbitrary character string can be appendedto the seed data by the interface backend 108. In another case, the seedcan be based on the resource that is to be encrypted. For example, theinterface backend 108 can send a copy of the resource to the keystore109 to be used as a seed value, or a hash of the resource may becalculated by the interface backend 108 and send to the keystore 109 tobe used as a seed value.

The resource encryption key is generated from the seed value (504). Forexample, the keystore 109 can use the seed value and a master key asparameters to a pseudo random function, such as a keyed cryptographichash function, to generate a resource encryption key. Most or allone-way functions that can be used to generate the resource encryptionkey are deterministic algorithm. Assuming keyed cryptographic hashfunction is deterministic, the resource encryption key is determined bythe seed value, and any set of wrapped keys with identical seed valueswill also have identical resource encryption keys.

The resource encryption key is sent to the application server system(506). For example, the keystore 109 can return the newly generatedresource encryption key to the interface backend 108 for use inencrypting data resources 114.

FIG. 6 is a flow chart showing an example of a process 600 for using akeystore to facilitate user-to-user sharing of encrypted data. In thisprocess, a keystore can use a wrapped key to encrypt data from one userusing another user's wrapped key. The process 600 can be performed by,for example, the keystore 109, and for clarity of presentation, thedescription that follows uses the system 100 and the scheme 150 as thebasis for describing the process. However, another system, orcombination of systems, may be used to perform the process 600.

The process 600 can be used to encrypt data with a wrapped key by anyactor, even if the actor is not authorized to access the unwrapped key.This process can mimic functionality available in public key encryptionschemes. In one or more implementations, wrapped keys may be used tofacilitate public key encryption functionality without requiring thecomputation of public key/private key pairs.

A resource in unencrypted form and a wrapped key are received from anapplication server system (602). For example, the keystore 109 canreceive from the interface backend 108 an encryption request thatincludes an encrypted resource and a wrapped key. The request need notspecify that the interface backend 108 access or receive the resourceencryption key from the wrapped key, only that the keystore 109 use itto encrypt the resource.

The wrapped key is decrypted to access the resource encryption key(604). For example, the keystore 109 can decrypt the wrapped key to gainaccess to the resource encryption key in the wrapped key. The resourceis encrypted from unencrypted form into encrypted form with the resourceencryption key (606). For example, keystore 109 can encrypt the resourceusing the accessed resource encryption key. Once the resource isencrypted, the keystore 109 may discard the wrapped key and the resourceencryption key.

The encrypted resources are sent to the application server system (608).For example, the keystore 109 can return the encrypted resource to theinterface backend 108, which may forward the encrypted resource to anexternal system or store the encrypted resource, as previouslydescribed.

Once encrypted, the user identified in the wrapped key used encrypt theresource may access the resource. For example, if the encrypted resourceis stored in a datastore 112 by the hosted storage system 120, theidentified user may log into the hosted storage system 120 and accessthe encrypted resource. The interface backend can send, to the keystore109, the user's authentication credentials and the wrapped keyassociated with the resource. Since the user's authenticationcredentials would match the user identifier in the wrapped key, thekeystore 109 can return the resource encryption key to the interfacebackend. With the resource encryption key, the interface backend 108 candecrypt the resource and provide it to the user.

In some implementations, a keystore that performs the process 600 maylater perform the process 400. For example, an application server systemcan provide hosted email service to users. Email resources can bereceived by that application server even when the recipient user is notlogged in. Since the recipient user may not logged in, authenticationcredentials for that user may not available to the application serversystem, and the application server system may not be able tosuccessfully request the resource encryption key from the user's wrappedkey. In order to encrypt the email for storage until it can be accessedby the user, the application server system can send the email and theuser's wrapped key to a keystore. The keystore can perform the process600 and return the email in encrypted form back to the applicationserver system.

Later, the user may log in, making the user's authentication credentialsavailable to the application server system. The application serversystem can send the user's authentication credentials to the samekeystore, along with the user's wrapped key. The keystore can performthe process 400 and return the resource encryption key from the wrappedkey, permitting the application server system to decrypt the user'se-mail.

Another implementation that uses the same keystore to perform theprocesses 400 and 600 could include a first user creating and giving aresource to a second user. For example, a financial institution may usan application server system to generate reports or statements for eachaccount holder. Each report or statement may be encrypted by a keystoreusing the process 600, and stored on the application server system. Whena user attempts to access the statement, the application server systemcan send a request to the same keystore to perform the process 400 sothat the application server system can access the resource encryptionkey and decrypt the statement for the user.

In some implementations, different keystores can perform the process 400and 600. For example, a research firm may use an application serversystem to compile statistical data that includes sensitive information(e.g., medical, financial, privacy, or security information). Theresearch firm's application server system may request a local keystoreto encrypt the sensitive information with a client specific wrapped keyusing the process 600. The research firm may transmit the encrypted datato the client through any suitable type of communication channel,including unsecure channels such as standard email, parcel delivery, orvia a minimally secured internet connection. The client can receive theencrypted information at a different application server system, whichmay offer different serves than the research firm's application serversystem, without ever exposing the plaintext of the sensitive informationto any other parties. The client's application server system can thenrequest a different keystore to perform the process 400 in order toaccess the resource encryption key to decrypt the sensitive information.

FIG. 7 is a flow chart showing an example lifecycle 700 of an ACL 118.Although the steps of the lifecycle 700 show an order of steps, it isnot implied that each step leads directly to another. The steps shownare a listing of possible steps that may be performed on an ACL 118 inroughly chronological order. The actual order, number, and kind of stepswill be dependent on implementation details and usage of the hostedstorage system 120.

A bucket or resource is created by the backend interface 108 based onrequests from the client application 103 (702). The client request caninclude a bucket name, a resource name, and/or an ACL 118. The principalrequesting the new bucket or resource is authenticated and made theowner of the bucket or resource.

If an ACL 118 is specified in the request (704), the specified ACL 118is associated with the bucket or resource. If the specified ACL 118 doesnot include a {scope, role} pair specifying the principal havingFULL_CONTROL, one such {scope, role} pair can be added to the ACL 118.In one implementation, an ACL may be specified in a request byenumerating each scope and role pair to be included in the ACL, or maybe specified by reference to the name of a pre-specified or “canned”ACL. A list of pre-specified or ‘canned’ ACLs 118 is shown in Table 4Canned ACLs below. The canned ACLs 118 can be cataloged by the hostedstorage system 120 and referenced by the client application 103 by name,rather than requiring the request enumerate each scope and role pair.

TABLE 4 Canned ACLs Canned ACL Name {scope, permission} private{creating user or bucket owner, FULL_CONTROL} public-read {all users,READ} {bucket owner, FULL_CONTROL} public-read-write {all users, WRITE}{bucket owner, FULL_CONTROL} authenticated-read {all authenticatedusers, READ} {bucket owner, FULL_CONTROL} bucket-owner-read {bucketowner, READ} [for resources only] {resource owner, FULL_CONTROL}bucket-owner-full-control {bucket owner, FULL_CONTROL} [for resourcesonly] {resource owner, FULL_CONTROL}

If an ACL 118 is not specified in the request (704), a default ACL 118can be used (708). For example, bucket and resource creation can defaultto the “private” canned ACL 118 for authenticated users. For resourcecreation by unauthenticated users, such as for new resources created ina “public-read-write” bucket, a default of “bucket-owner-full-control”can be used.

An ACL 118 can be served, for example, to a principal with READ, WRITE,or FULL_CONTROL of the associated bucket or resource (710). For example,a client application 103 can perform a HTTP GET to a target's URI withthe query string ?acl to retrieve the ACL associated with the target.The ACL 118 can be serialized and returned to the client application103.

The serialization may be defined, for example, by the following extendedBackus-Naur form. Nonterminals appear in sans serif italics, terminalsappear in Courier Bold, { } denote zero or more repetitions, [ ] encloseoptional entities, separates alternatives, and ( ) denote grouping. Theterminal symbols canonical-id, email-address, and domain are defined inEnglish below:

access-control-list: <AccessControlList>ownerentries</AccessControlList>

owner: <Owner>id</Owner>

entries: <Entries>entry {entry}</Entries>

entry: <Entry>(permission scope|scope permission)</Entry>

permission: <Permission>(READ|WRITE|FULL_CONTROL)</Permission>

scope: <Scope type=UserById>id</Scope>

|<Scope type=UserByEmail>email</Scope>

|<Scope type=GroupById>id</Scope>

|<Scope type=GroupByEmail>email</Scope>

|<Scope type=GroupByDomain><Domain>domain</Domain></Scope>

|<Scope type=AllUsers/>

|<Scope type=AllAuthenticatedUsers/>

id: <ID>canonical-id</ID>[<Name>text</Name>]

|[<Name>text</Name>]<ID>canonical-id</ID>

email:<EmailAddress>email-address</EmailAddress>[<Name>text</Name>]|[<Name>text</Name>]<EmailAddress>canonical-id</EmailAddress>

text: {printable character excluding<and >}

canonical-id: 64 hex digits

email-address: standard RFC 822 email address

domain: standard RFC 822 domain specification

A canonical-id or an email-address can identify a user or a group. Acanonical-id is the encrypted service id for the user or group. Emailaddresses are a convenience for specifying canonical ids. In someimplementations, the ACLs returned from the system always containcanonical ids. The <Name>text</Name>element may be used for informationpurposes only such that it is otherwise ignored by the system, and thesystem does not return it if there is no public name associated with theuser or group.

An example serialized ACL 118 is shown below.

<AccessControlList>

<Owner>

<ID>a9a7b886d6fd24a52fe8ca5bef65f89a64e0193f23000e241bf9b1c61be666e9</ID>

<Name>chriscustomer</Name>

</Owner>

<Entries>

<Entry><Permission>FULL_CONTROL</Permission>

<Scope type=UserById>

<ID>a9a7b886d6fd24a52fe8ca5bef65f89a64e0193f23000e241bf9b1c61be666e9</ID>

<Name>chriscustomer</Name>

</Scope>

</Entry>

<Entry><Permission>FULL_CONTROL</Permission>

<Scope type=UserById>

<ID>79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be</ID>

<Name>Frank</Name>

</Scope>

</Entry>

<Entry><Permission>FULL_CONTROL</Permission>

<Scope type=UserById>

<ID>de019164ebb0724ff67188e243eae9 ccbebdde523717cc312255d9a82498e394a</ID>

<Name>Jose</Name>

</Scope>

</Entry>

<Entry><Permission>READ</Permission><Scope type=AllUsers></Entry>

</Entries>

</AccessControlList>

An ACL 118 can be updated, for example by a principal with WRITE orFULL_CONTROL of the associated bucket or resource (712). In someexamples, a client must read, modify, and write an ACL 118 in order toupdate an ACL 118. In this example, the ACL 118 is served (710) as partof modification (712). In some implementations, a client application 103can send ACL update requests to the hosted storage system 120.

FIG. 8 shows an example of a computing device 800 and a mobile computingdevice that can be used to implement the techniques described here. Thecomputing device 800 is intended to represent various forms of digitalcomputers, such as laptops, desktops, workstations, personal digitalassistants, servers, blade servers, mainframes, and other appropriatecomputers. The mobile computing device is intended to represent variousforms of mobile devices, such as personal digital assistants, cellulartelephones, smart-phones, and other similar computing devices. Thecomponents shown here, their connections and relationships, and theirfunctions, are meant to be exemplary only, and are not meant to limitimplementations of the inventions described and/or claimed in thisdocument.

The computing device 800 includes a processor 802, a memory 804, astorage device 806, a high-speed interface 808 connecting to the memory804 and multiple high-speed expansion ports 810, and a low-speedinterface 812 connecting to a low-speed expansion port 814 and thestorage device 806. Each of the processor 802, the memory 804, thestorage device 806, the high-speed interface 808, the high-speedexpansion ports 810, and the low-speed interface 812, are interconnectedusing various busses, and may be mounted on a common motherboard or inother manners as appropriate. The processor 802 can process instructionsfor execution within the computing device 800, including instructionsstored in the memory 804 or on the storage device 806 to displaygraphical information for a GUI on an external input/output device, suchas a display 816 coupled to the high-speed interface 808. In otherimplementations, multiple processors and/or multiple buses may be used,as appropriate, along with multiple memories and types of memory. Also,multiple computing devices may be connected, with each device providingportions of the necessary operations (e.g., as a server bank, a group ofblade servers, or a multi-processor system).

The memory 804 stores information within the computing device 800. Insome implementations, the memory 804 is a volatile memory unit or units.In some implementations, the memory 804 is a non-volatile memory unit orunits. The memory 804 may also be another form of computer-readablemedium, such as a magnetic or optical disk.

The storage device 806 is capable of providing mass storage for thecomputing device 800. In some implementations, the storage device 806may be or contain a computer-readable medium, such as a floppy diskdevice, a hard disk device, an optical disk device, or a tape device, aflash memory or other similar solid state memory device, or an array ofdevices, including devices in a storage area network or otherconfigurations. A computer program product can be tangibly embodied inan information carrier. The computer program product may also containinstructions that, when executed, perform one or more methods, such asthose described above. The computer program product can also be tangiblyembodied in a computer- or machine-readable medium, such as the memory804, the storage device 806, or memory on the processor 802.

The high-speed interface 808 manages bandwidth-intensive operations forthe computing device 800, while the low-speed interface 812 manageslower bandwidth-intensive operations. Such allocation of functions isexemplary only. In some implementations, the high-speed interface 808 iscoupled to the memory 804, the display 816 (e.g., through a graphicsprocessor or accelerator), and to the high-speed expansion ports 810,which may accept various expansion cards (not shown). In theimplementation, the low-speed interface 812 is coupled to the storagedevice 806 and the low-speed expansion port 814. The low-speed expansionport 814, which may include various communication ports (e.g., USB,Bluetooth, Ethernet, wireless Ethernet) may be coupled to one or moreinput/output devices, such as a keyboard, a pointing device, a scanner,or a networking device such as a switch or router, e.g., through anetwork adapter.

The computing device 800 may be implemented in a number of differentforms, as shown in the figure. For example, it may be implemented as astandard server 820, or multiple times in a group of such servers. Inaddition, it may be implemented in a personal computer such as a laptopcomputer 822. It may also be implemented as part of a rack server system824. Alternatively, components from the computing device 800 may becombined with other components in a mobile device (not shown), such as amobile computing device 850. Each of such devices may contain one ormore of the computing device 800 and the mobile computing device 850,and an entire system may be made up of multiple computing devicescommunicating with each other.

The mobile computing device 850 includes a processor 852, a memory 864,an input/output device such as a display 854, a communication interface866, and a transceiver 868, among other components. The mobile computingdevice 850 may also be provided with a storage device, such as amicro-drive or other device, to provide additional storage. Each of theprocessor 852, the memory 864, the display 854, the communicationinterface 866, and the transceiver 868, are interconnected using variousbuses, and several of the components may be mounted on a commonmotherboard or in other manners as appropriate.

The processor 852 can execute instructions within the mobile computingdevice 850, including instructions stored in the memory 864. Theprocessor 852 may be implemented as a chipset of chips that includeseparate and multiple analog and digital processors. The processor 852may provide, for example, for coordination of the other components ofthe mobile computing device 850, such as control of user interfaces,applications run by the mobile computing device 850, and wirelesscommunication by the mobile computing device 850.

The processor 852 may communicate with a user through a controlinterface 858 and a display interface 856 coupled to the display 854.The display 854 may be, for example, a TFT (Thin-Film-Transistor LiquidCrystal Display) display or an OLED (Organic Light Emitting Diode)display, or other appropriate display technology. The display interface856 may comprise appropriate circuitry for driving the display 854 topresent graphical and other information to a user. The control interface858 may receive commands from a user and convert them for submission tothe processor 852. In addition, an external interface 862 may providecommunication with the processor 852, so as to enable near areacommunication of the mobile computing device 850 with other devices. Theexternal interface 862 may provide, for example, for wired communicationin some implementations, or for wireless communication in otherimplementations, and multiple interfaces may also be used.

The memory 864 stores information within the mobile computing device850. The memory 864 can be implemented as one or more of acomputer-readable medium or media, a volatile memory unit or units, or anon-volatile memory unit or units. An expansion memory 874 may also beprovided and connected to the mobile computing device 850 through anexpansion interface 872, which may include, for example, a SIMM (SingleIn Line Memory Module) card interface. The expansion memory 874 mayprovide extra storage space for the mobile computing device 850, or mayalso store applications or other information for the mobile computingdevice 850. Specifically, the expansion memory 874 may includeinstructions to carry out or supplement the processes described above,and may include secure information also. Thus, for example, theexpansion memory 874 may be provide as a security module for the mobilecomputing device 850, and may be programmed with instructions thatpermit secure use of the mobile computing device 850. In addition,secure applications may be provided via the SIMM cards, along withadditional information, such as placing identifying information on theSIMM card in a non-hackable manner.

The memory may include, for example, flash memory and/or NVRAM memory(non-volatile random access memory), as discussed below. In someimplementations, a computer program product is tangibly embodied in aninformation carrier. The computer program product contains instructionsthat, when executed, perform one or more methods, such as thosedescribed above. The computer program product can be a computer- ormachine-readable medium, such as the memory 864, the expansion memory874, or memory on the processor 852. In some implementations, thecomputer program product can be received in a propagated signal, forexample, over the transceiver 868 or the external interface 862.

The mobile computing device 850 may communicate wirelessly through thecommunication interface 866, which may include digital signal processingcircuitry where necessary. The communication interface 866 may providefor communications under various modes or protocols, such as GSM voicecalls (Global System for Mobile communications), SMS (Short MessageService), EMS (Enhanced Messaging Service), or MMS messaging (MultimediaMessaging Service), CDMA (code division multiple access), TDMA (timedivision multiple access), PDC (Personal Digital Cellular), WCDMA(Wideband Code Division Multiple Access), CDMA2000, or GPRS (GeneralPacket Radio Service), among others. Such communication may occur, forexample, through the transceiver 868 using a radio-frequency. Inaddition, short-range communication may occur, such as using aBluetooth, WiFi, or other such transceiver (not shown). In addition, aGPS (Global Positioning System) receiver module 870 may provideadditional navigation- and location-related wireless data to the mobilecomputing device 850, which may be used as appropriate by applicationsrunning on the mobile computing device 850.

The mobile computing device 850 may also communicate audibly using anaudio codec 860, which may receive spoken information from a user andconvert it to usable digital information. The audio codec 860 maylikewise generate audible sound for a user, such as through a speaker,e.g., in a handset of the mobile computing device 850. Such sound mayinclude sound from voice telephone calls, may include recorded sound(e.g., voice messages, music files, etc.) and may also include soundgenerated by applications operating on the mobile computing device 850.

The mobile computing device 850 may be implemented in a number ofdifferent forms, as shown in the figure. For example, it may beimplemented as a cellular telephone 880. It may also be implemented aspart of a smart-phone 882, personal digital assistant, or other similarmobile device.

Various implementations of the systems and techniques described here canbe realized in digital electronic circuitry, integrated circuitry,specially designed ASICs (application specific integrated circuits),computer hardware, firmware, software, and/or combinations thereof.These various implementations can include implementation in one or morecomputer programs that are executable and/or interpretable on aprogrammable system including at least one programmable processor, whichmay be special or general purpose, coupled to receive data andinstructions from, and to transmit data and instructions to, a storagesystem, at least one input device, and at least one output device.

These computer programs (also known as programs, software, softwareapplications or code) include machine instructions for a programmableprocessor, and can be implemented in a high-level procedural and/orobject-oriented programming language, and/or in assembly/machinelanguage. As used herein, the terms machine-readable medium andcomputer-readable medium refer to any computer program product,apparatus and/or device (e.g., magnetic discs, optical disks, memory,Programmable Logic Devices (PLDs)) used to provide machine instructionsand/or data to a programmable processor, including a machine-readablemedium that receives machine instructions as a machine-readable signal.The term machine-readable signal refers to any signal used to providemachine instructions and/or data to a programmable processor.

To provide for interaction with a user, the systems and techniquesdescribed here can be implemented on a computer having a display device(e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor)for displaying information to the user and a keyboard and a pointingdevice (e.g., a mouse or a trackball) by which the user can provideinput to the computer. Other kinds of devices can be used to provide forinteraction with a user as well; for example, feedback provided to theuser can be any form of sensory feedback (e.g., visual feedback,auditory feedback, or tactile feedback); and input from the user can bereceived in any form, including acoustic, speech, or tactile input.

The systems and techniques described here can be implemented in acomputing system that includes a back end component (e.g., as a dataserver), or that includes a middleware component (e.g., an applicationserver), or that includes a front end component (e.g., a client computerhaving a graphical user interface or a Web browser through which a usercan interact with an implementation of the systems and techniquesdescribed here), or any combination of such back end, middleware, orfront end components. The components of the system can be interconnectedby any form or medium of digital data communication (e.g., acommunication network). Examples of communication networks include alocal area network (LAN), a wide area network (WAN), and the Internet.

The computing system can include clients and servers. A client andserver are generally remote from each other and typically interactthrough a communication network. The relationship of client and serverarises by virtue of computer programs running on the respectivecomputers and having a client-server relationship to each other.

What is claimed is:
 1. A method performed by one or more processors, themethod comprising: receiving, from an application server system and at akey server system, a seed value; generating, at the key server system, aresource encryption key from the seed value; sending, from the keyserver system to the application server system, the resource encryptionkey such that the application server system is able to encrypt aresource using the resource encryption key; receiving, from theapplication server system and at the key server system, authenticationcredentials and a wrapped key, the wrapped key including a resourceidentifier, a resource encryption key, and a user identifier that havebeen encrypted using a master key, wherein the resource identifieridentifies the resource encrypted with the resource encryption key andthe user identifier identifies a user that is permitted to use theresource encryption key to decrypt the resource; decrypting the wrappedkey to generate an unwrapped key that includes the resource identifier,the resource encryption key, and the user identifier in unencryptedform; accessing the user identifier from the unwrapped key; determiningthat the received authentication credentials correspond to the accesseduser identifier; and in response to determining that the receivedauthentication credentials correspond to the accessed user identifier,sending the resource encryption key in unecrypted form to theapplication server system such that the application server system candecrypt the resource using the resource encryption key in unencryptedform.
 2. The method of claim 1, the method further comprising:identifying a service associated with the wrapped key; and whereindecrypting the wrapped key includes decrypting the wrapped key using amaster key associated with the service.
 3. The method of claim 1, themethod further comprising: receiving, from the application server and atthe key server system, a sharing request that includes i) theauthentication credentials, ii) the wrapped key, and iii) a second useridentifier; decrypting the wrapped key included in the request togenerate the unwrapped key; accessing the user identifier from theunwrapped key; determining that the received authentication credentialscorrespond to the accessed user identifier; and in response todetermining that the received authentication credentials correspond tothe accessed user identifier: replacing the user identifier in theunwrapped key with the second user identifier; encrypting the unwrappedkey to generate a second wrapped key; and sending the second wrapped keyto the application server system.
 4. The method of claim 1, wherein theuser identifier indicates no more than one user.
 5. The method of claim1, the method further comprising: identifying a format of theauthentication credentials and the user identifier; and determining thatthe received authentication credentials correspond to the accessed useridentifier according to the identified format.
 6. The method of claim 1,the method further comprising: encrypting the resource using theresource encryption key to generate an encrypted version of theresource; detecting duplicates of the encrypted version of the resourcestore in a storage system; and removing the detected duplicates from thestorage system.
 7. The method of claim 6 wherein removing the detectedduplicates from the storage system comprises deleting the detectedduplicates and replacing the deleted duplicates with a pointer to theencrypted version of the resource.
 8. The method of claim 6 whereinencrypting the resource using the resource encryption key to generatethe encrypted version of the resource comprises encrypting the resourceusing the resource encryption key and a deterministic encryptiontechnique.
 9. The method of claim 1 wherein the seed value is based onthe resource.
 10. The method of claim 9 wherein the seed value is a hashcalculated from the resource.
 11. A computer system comprising: a keyserver system comprising a processor and memory and configured to:receive, from an application server system and at a key server system, aseed value; generate, at the key server system, a resource encryptionkey from the seed value; send, from the key server system to theapplication server system, the resource encryption key such that theapplication server system is able to encrypt a resource using theresource encryption key; receive, from the application server system andat the key server system, authentication credentials and a wrapped key,the wrapped key including a resource identifier, a resource encryptionkey, and a user identifier that have been encrypted using a master key,wherein the resource identifier identifies the resource encrypted withthe resource encryption key and the user identifier identifies a userthat is permitted to use the resource encryption key to decrypt theresource; decrypt the wrapped key to generate an unwrapped key thatincludes the resource identifier, the resource encryption key, and theuser identifier in unencrypted form; access the user identifier from theunwrapped key; determine that the received authentication credentialscorrespond to the accessed user identifier; and in response todetermining that the received authentication credentials correspond tothe accessed user identifier, send the resource encryption key inunecrypted form to the application server system such that theapplication server system can decrypt the resource using the resourceencryption key in unencrypted form.
 12. The system of claim 11, the keyserver system further configured to: identify a service associated withthe wrapped key; and wherein decrypting the wrapped key includesdecrypting the wrapped key using a master key associated with theservice.
 13. The system of claim 11, the key server system furtherconfigured to: receive, from the application server and at the keyserver system, a sharing request that includes i) the authenticationcredentials, ii) the wrapped key, and iii) a second user identifier;decrypt the wrapped key included in the request to generate theunwrapped key; access the user identifier from the unwrapped key;determine that the received authentication credentials correspond to theaccessed user identifier; and in response to determining that thereceived authentication credentials correspond to the accessed useridentifier: replace the user identifier in the unwrapped key with thesecond user identifier; encrypt the unwrapped key to generate a secondwrapped key; and send the second wrapped key to the application serversystem.
 14. The system of claim 11, wherein the user identifierindicates no more than one user.
 15. The system of claim 11, wherein thekey server system is further configured to: identify a format of theauthentication credentials and the user identifier; and determine thatthe received authentication credentials correspond to the accessed useridentifier according to the identified format.
 16. The system of claim11, wherein the application server is further configured to: encrypt theresource using the resource encryption key to generate an encryptedversion of the resource; detect duplicates of the encrypted version ofthe resource store in a storage system; and remove the detectedduplicates from the storage system.
 17. The system of claim 16 wherein,to remove the detected duplicates from the storage system, theapplication server is configured to delete the detected duplicates andreplace the deleted duplicates with a pointer to the encrypted versionof the resource.
 18. The system of claim 16 wherein, to encrypt theresource using the resource encryption key to generate the encryptedversion of the resource, the application server is configured to encryptthe resource using the resource encryption key and a deterministicencryption technique.
 19. The system of claim 11 wherein the seed valueis based on the resource.
 20. The system of claim 19 wherein the seedvalue is a hash calculated from the resource.
 21. A non-transitorycomputer readable medium storing instructions that, when executed by oneor more processing devices, cause the one or more processing devices toperform operations including: receiving, from an application serversystem and at a key server system, a seed value; generating, at the keyserver system, a resource encryption key from the seed value; sending,from the key server system to the application server system, theresource encryption key such that the application server system is ableto encrypt a resource using the resource encryption key; receiving, fromthe application server system and at the key server system,authentication credentials and a wrapped key, the wrapped key includinga resource identifier, a resource encryption key, and a user identifierthat have been encrypted using a master key, wherein the resourceidentifier identifies the resource encrypted with the resourceencryption key and the user identifier identifies a user that ispermitted to use the resource encryption key to decrypt the resource;decrypting the wrapped key to generate an unwrapped key that includesthe resource identifier, the resource encryption key, and the useridentifier in unencrypted form; accessing the user identifier from theunwrapped key; determining that the received authentication credentialscorrespond to the accessed user identifier; and in response todetermining that the received authentication credentials correspond tothe accessed user identifier, sending the resource encryption key inunecrypted form to the application server system such that theapplication server system can decrypt the resource using the resourceencryption key in unencrypted form.
 22. The medium of claim 21, theoperations further including: identifying a service associated with thewrapped key; and wherein decrypting the wrapped key includes decryptingthe wrapped key using a master key associated with the service.
 23. Themedium of claim 21, the operations further including: receiving, fromthe application server and at the key server system, a sharing requestthat includes i) the authentication credentials, ii) the wrapped key,and iii) a second user identifier; decrypting the wrapped key includedin the request to generate the unwrapped key; accessing the useridentifier from the unwrapped key; determining that the receivedauthentication credentials correspond to the accessed user identifier;and in response to determining that the received authenticationcredentials correspond to the accessed user identifier: replacing theuser identifier in the unwrapped key with the second user identifier;encrypting the unwrapped key to generate a second wrapped key; andsending the second wrapped key to the application server system.
 24. Themedium of claim 21, wherein the user identifier indicates no more thanone user.
 25. The medium of claim 21, the operations further including:identifying a format of the authentication credentials and the useridentifier; and determining that the received authentication credentialscorrespond to the accessed user identifier according to the identifiedformat.
 26. The medium of claim 21, the operations further including:encrypting the resource using the resource encryption key to generate anencrypted version of the resource; detecting duplicates of the encryptedversion of the resource store in a storage system; and removing thedetected duplicates from the storage system.
 27. The medium of claim 26wherein removing the detected duplicates from the storage systemcomprises deleting the detected duplicates and replacing the deletedduplicates with a pointer to the encrypted version of the resource. 28.The medium of claim 26 wherein encrypting the resource using theresource encryption key to generate the encrypted version of theresource comprises encrypting the resource using the resource encryptionkey and a deterministic encryption technique.
 29. The medium of claim 21wherein the seed value is based on the resource.
 30. The medium of claim29 wherein the seed value is a hash calculated from the resource.